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AMENDMENTS TO THE CLAIMS 




\ 



L (Original) A memory management unit for managing a memoiy storing data arranged 
within a plurality of memoiy pages, the memory management vm comprising: 

a security check unit coupled to receive A physical address generated during 
execution of a current instruction, wherein the physical address resides vdthin a selected 
memory page, and wherein the security cheoic unit is configured to use the physical 
address to access at least one security attribute data structure located in the memory to 
obtain a security attribute of the selected Anemory page, to compare a numerical value 
conveyed by a security attribute of the current instruction to a numerical vahie conveyed 
by the security attribute of the selectefl memory page, and to produce an output signal 
dependent upon a result of the comparison; and 



wherein the memory management un^ is configured to access the selected memoiy p^e 
dependent upon the output signal. 

2, (Original) The memory management unit as recited in claim 1, wherein the at least one 
security attribute data structur^comprises a security attribute table directory and at least one 
security attribute table. 



3, (Original) The naemory management unit as recited in claim 2, wherein the security 
attribute table directory comprises a plurahty of entries, and where each entry of the security 
attribute table directory includes a present bit and a security attribute table base address field, and 
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wherein the present bit indicates whether or not a security attribntef table corresponding to the 
security attribute table directory entry is present in the mcmofy, and wherein the security 
attribute table base address field is reserved for a base addresS of the security attribute table 
corresponding to the security attribute table directory entry. 

4. (Original) The memory management unit as recitedf in claim 2, wherein the at least one 
security attribute table comprises a plurality of entriesyand where each entry of the security 
attribute table includes a security context identification/sCID) field, and wherein the SCID field 
includes a plurality of bit positions, and wherein the fait positions form a binaiy representation of 
an SCID value, and wherein the SCID value is an Integer value greater than or equal to 0, and 
wherein the SCID value indicates a security content level of a corresponding memory page. 



5. (Original) The memory management unit as recited in claim I, wherein the security 
attribute of the selected memory page compijSses a security context identification (SCID) value, 
and wherein the SCID value is an integer vjQue greater than or equal to 0 and indicates a security 
context level of the selected memory page 



6. (Original) The memory management unit as recited in claim I, wherein the securiQ^ 
attribute of the cunent instruction oomprises a security context identification (SCID) value, and 
wherein the SCID value is an integer value greater than or equal to 0 and indicates a security 
context level of a memory page/ontaining fhe current instruction. 
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7. (Original) The memory management unit as recited in cldlm 1, wherein the security 
check logic is configured to obtain the security attribute of the cprent instruction from the at 
least one security attribute data structure. 



8. (Original) The memory management unit as recited 
is a fault signal. 



/claim 1» wherein the output signal 



9. (Original) The memory management unit as recited in claim I, wherein the security 
check unit is configured to receive a set of security attributes of the selected memory page in 
addition to the security attribute of selected memojiy page, and to produce the output signal 
dependent upon: (i) the result of the comparison of pie numerical value conveyed by the security 
attribute of the current instruction to the numerical value conveyed by the security attribute of 
selected memory page, and (it) the set of security Attributes of the selected memory page. 



10. (Original) The memory management vAt as recited in claim 9, wherein the set of security 
attributes of the selected memory page comprise a user/supervisor (U/S) bit and a read/write 
(R/W) bit as defined by the x86 processor architecture, and >^1icrein U/S=»0 indicates Ae selected 
memory page is an operating system memory page and corresponds to a supervisor level of the 
operating system, and wherein U/S=l indicates the selected memory page is a user memory page 
and corresponds to a user level of the operating system, and wherein R/W=0 indicates only read 
accesses are allowed to the selected memory page, and wherein R/W«l indicates that both read 
and write accesses are allowed to the selected memory page. 
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1 1 . (Origiiial) A central processing unit, comprising: 

an execution unit openibly coiqpled to a memory^ wherein the execution unit is configured 
to fetch instructions firom the memory and to execute the inl^tructions; and 

a memory management unit (MMU) operably coupled to the memory and configured to 
manage the memory, wherein the MMU is configurtble to manage the memory such that the 
memory stores data arranged vrithin a plurality memory pages, and wherein the MMU 
comprises: 

a security check unit coupled t(/ receive a physical address generated by the 
execution unit during execution of a qbrent instruction, wherein the physical address 
resides within a selected memory page( and wherein the security check unit is configured 
to use the physical address to access/at least one security attribute data structure located 
in the memory to obtain a security Attribute of the selected memory page, to compare a 
numerical value conveyed by a security attribute of the current insmiction to a numerical 
value conveyed by the security /attribute of selected memory page, and to produce an 
output signal dependent iq)on aA:esult of the comparison; and 
wherein the MMU is configured to a/cess the selected memory page dependent upon the output 
signal. 



12, (Original) A computer system, comprising: 

a memory for storing dafta> wherein the data includes instructions; 
a central processing xmit (CPU), comprising: 

an execution unit operably coupled to the memory, wherein the execution unit is 
configured to fetch instruc/ions from the memory and to execute the instructions; and 
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a memory management unit (MMU) operably coupled to the memory and configured to 
manage the memory, wherein the MMU is configurable to ymanage tbe memory such that the 
memory stores the data arranged within a plurality of mjimoiy pages, and wherein the MMU 
comprises: 

a security check unit coupled to rec^e a physical address generated by the 
execution unit during execution of a cunem instruction^ wherein the physical address 
resides within a selected memory page, and wherein the security check unit is configured 
to use the physical address to access at least one security attribute data structure located 
in the memory to obtain a security attmute of the selected memory page, to compare a 
numerical value conveyed by a security attribute of the current instruction to a numerical 
value conveyed by the security atmbute of selected memory page» and to produce an 
output signal dependent upon a resjolt of the comparison; and 

wherein the MMU is configured to acc^s the selected memory page dependent upon the output 

signal. 



13. (Original) A memoiy management unit for managing a memoiy storing data arranged 
within a plurality of memory page^, tlie memory management unit comprising: 

a paging unit coupled to the memory and to receive a linear address produced during 
execution of a current instnjction, and configured to use the linear address to produce a physical 
address within a selected memory page, wherein the paging unit is configured to use the linear 
address to access at least^ one paged memory data structure located in the memory to obtain 
security attributes of the selected memory page, and wherein the paging unit is configured to 
prodiuse a feuU signalAlependent upon the security attributes of the selected memory page, and 
wherein the paging miit comprises: 
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a security check unit coupled to receive the physicaj/addiess, and wherein the 
security check unit is configured to use the physical addressyto access at least one aecurily 
attribute data structure located in the memory to obtain anr additional security attribute of 
the selected memory page, to compare a numerical value conveyed by a security attribute 
of the current instruction to a numerical value conveyed by the additional security 
attribute of selected memory page, and to produc^ an output signal dependent upon a 
result of the comparison; and 
wherein the memory management unit is configured to access the selected memory page 
dependent upon the output signal. 

14. (Original) The memory management imiti4s recited in claim 13» wh^in the at least one 
security attribute data structure comprises a purity attribute table directory and at least one 
security attribute table. 

15. (Original) The memory management unit as recited in claim 14. wherein the security 
attribute table directory comprises a plurality of entries, and where each entry of the security 
attribute table directory includes a present bh and a security attribute table base address field, and 
wherein the present bit indicatesXvhether or not a security attribute table corresponding to the 
security attribute table directory entry is piesent in the memory, and wherein the security 
attribute table base addressyfield is reserved for a base address of the security attribute table 
corresponding to the security attribute table directory entry. 



16. (Original) The/memory management unit as recited in claim 14, wherein the at least one 
security attribute tatole comprises a plurality of entries, and where each entry of the security 
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attribute table includes a security context identification (SCID) fielcL/and wherein the SCID field 
includes a plurality of bit positions, and wherein the bit positions form a binary representation of 
an SCID value, and wherein Ihe SCID value is an. integer vah/e greater than or equal to 0, and 
wherein the SCID value indicates a security context level of /corresponding memory page. 

17- (Original) The memory management unit as radited in claim 13, wherein the additional 
security attribute of the selected memory page comprises a security context identification (SCID) 
value, and wherein the SCID value is an integer value greater than or equal to 0 and indicates a 
security context level of the selected memory page. 



18. (Original) The memory managemwit unit as recited in claim 13, wherein the security 
attribute of the current instruction comnnses a security context identification (SCID) value, and 
wherein the SCID value is an intege/ value greater than or equal to 0 and indicates a security 
context level of a memory page comuning the current instruction* 



19. (Original) The memon/^ management unit as recited in claim 13, wherein the security 
check unit is coqiled to receive a current privilege level (CPL) of a current task including the 
current instruction, and /o produce the ou^t signal dependent upon: (i) the result of the 
comparison of the numlferical values conveyed by the security attribute of the current instruction 
and the security attribute of selected memory page, and (ii) the CPL of the current task including 
the current instruonon. 
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20. (Original) The memory management unit as recited in claim 13, wherein the physical 
address ivithin the selected memory p^ge includes a base addie^ and an ofi&et, and wherein the 
paging unit is configured to obtain the base address from th/ at least one paged memory data 
structuic. 

21 . (Original) The memory management unit as recit^ in claim 13, wherein the at least one 
paged memory data structure comprises a page directo/y and at least one page table as defined by 
the x86 processor architecture. 



22. (Original) The memory management umt as recited in claim 13, wherein the security 
attributes of the selected memory page comnnse a user/supervisor (U/S) bit and a read/write 
(R/W) bit as defined by the x86 processor arpitecture^ and wherein U/S=0 indicates the selected 
memory page is an operating system mempry page and corresponds to a supervisor level of the 
opemting system^ and wherein U/S=l indicates the selected memory page is a user memoiy page 
and corresponds to a user level of the operating system, and wherein R/W=0 indicates only read 
accesses are allowed to the selected memory page, and wherein R/W~l indicates that both read 
and write accesses are allowed to dier selected memory page. 

23. (Original) A memory mqlhs^ement unit for managing a memory storing data ananged 
within a plurality of memory pa§es, the memory management unit comprising: 

a paging unit ooupled to the memoiy and to receive a linear address produced 
during execution of a/current instruction residing within a first memory page, wherein the 



paging imit is configured to use the linear address to produce a physical address accessed 
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by the current instruction, and wherein the physical address includes a base address of a 
selected memory page and an offset, and wherein the paging imit is configured to access 
at least one paged memory data structure located in the memory using the linear address 
to obtain the base address and security attributes of Ine selected memory page, and 
wherein the paging unit is configured to receive a secynty attribute of the instraction, and 
wherein the paging unit is configured to produq^ a fault signal dependent upon die 
security attribute of the instruction and the seq&rity attributes of the selected memory 
page, and wherein the paging unit comprises: 

a security chedc unit cougfed to receive the security attribute of the 
instruction, the security attributesybf the selected memory page, and the physical 
address within the selected mejnory page, and wherein the security check unit is 
configured to use the physical address to access at least one security attribute data 
structure located in the m$imory to obtain an additional security attribute of the 
selected memory page> Xo compare a numerical value conveyed by a security 
attribute of the currenylnstruction to a numerical value conveyed by the additional 
security attribute 91 selected memory page, and to produce an output signal 
dependent upon ^ result of the comparison; and 
wherein the memoiy Management unit is configured to access the selected memory page 
dependent upon the outpuiiignal* 



24. (Original) The memory management unit as recited in claim 23, wherein the at least one 
paged memoiy data mucture comprises a page directory and at least one page table as defined by 
the x86 processor architecture. 
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25. (Original) The memory management unit as recited in claitx^23> wherein the security 
\^ attribute of the current instruction comprises a current privilege levfl (CPL) of a task including 

the cunent instruction as defined by the x86 processor architectujty 

26, (Original) The memory management unit as recited L claim 23. wherein the security 
attributes of the selected memory page comprise a user/sunfervisor (0/S) bit a read/write {RISSf) 
bit as defined by the x86 processor architecture, and wherein U/S=0 indicates &e selected 
memory page is an operating system memory page an^corresponds to a supervisor level of the 
operating system, and wherein U/S^l indicates the selected memory page is a user memory page 
and corresponds to a user level of the operating system, and wherein R/W=K) indicates only read 
accesses are allowed to the selected memoty page( and wherein RyW=l indicates that both read 
and write accesses are allowed to the selected mmiory page. 




27. (Original) The memory management unit as recited in claim 23, wherein the additional 
security attribute of the selected memory nage comprises a security ccniext identification (SCID) 
value, and wherein the SCID value is aw integer value greater than or equal to 0 and indicates a 
security context level of the selected memory page. 



28/ (Original) The memory management unit as recited in claini 23, wherein the security 
attribute of the current instmctio^ comprises a security context identification (SCID) value, and 
wheiein the SCID value is an/integer value greater than or equal to 0 and indicates a security 
context level of the first memory page containing the current instruction. 
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29, (Original) The memory management unit as recited in claim 23» mierein the at least one 
security attribute data structure comprises a security attribute table Rectory and at least one 
security attribute table. 

30. (Original) The memory management unit as recited ix/claim 29, wherein the security 
attribute table directory comprises a plurality of entries, and where each entry of the security 
attribute table directory includes a present bit and a securiu/attribute table base address field, and 
wherein the present bit indicates whether or not a secunty attribute table coiresponding to the 
securiiy attribute table directory entry is present iiuthe memory, and wherein the security 
attribute table base address field is reserved for a nase address of the security attribute table 
conresponding to the security attribute table directc^ entry. 



31. (Original) The memory management upt as recited in claim 29, wherein the at least one 
security attribute table comprises a plurality of entries, and where each entry of the security 
attribute table includes security context idptification (SCID) field, and wherein the SCID field 
includes a plurality of bit positions, and wherein the bit positions form a binary representation of 
an SCID value, and wherein the SCIu value is an integer value greater than or equal to 0, and 
wherein the SCID value indicates a s/curity context level of a corresponding memory page. 



32. (Original) A method m providing access security for a memory used to store data 
aixanged within a plurality of memory pages, the method comprising: 

receiving a linear afldress produced during execution of an instruction and a security 
attribute of the instruction/wherein the instruction resides in a first memory page; 
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using the linear address to access at least one paged memory data structure located in the 
memory to obtain a base address of a selected memory page fid security attributes of the 
selected memoiy page; 

combining the base address of the selected memory i|(age with an offset to produce a 
physical address within the selected memory page if the security attribute of the instruction and 
the security attributes of the selected memory page indicator the access is autliorized; 

generating a fault signal if Ae security attribute of the instruction and the security 
attributes of the selected memory page indicate the access is not authorized; 

accessing at least one security attribute dataitructuie located in the memory using the 
physical address of the selected memory page to obtmn an additional security attribute of the first 
memoiy page and an additional security attribute tff the selected memory page; 

comparing a numerical value convey e(y by an additional security attribute of the first 
memory page to a numerical value conveye/i by the additional security attribute of selected 
memory page; and 

accessing the selected memory pa^e dependent upon a result of the comparing of the 
numerical values conveyed by the securir/ attribute of the first memory page and the additional 
security attribute of selected memory page. 



33. (Original) The method as recited in claim 32, wherein the receiving comprises: 

receiving a linear addreaS produced diuing execution of an instruction and a security 
attribute of the instnjction, whwein the instraction resides in a first memory page, and wherein 
the security attribute of the/instruction comprises a current privilege level (CPL) of a task 
mcluding the instruction as>Qefined by the x86 processor architecture. 
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34. (Original) The method as recited in claim 32, whereiti the usin/comprises: 
using the linear address to access at least one paged mem<^ data structure located in the 

memory to obtain a base address of a selected memory pa^e and security attributes of the 
selected memory page, wherein the at least one paged mernory data structure comprises a page 
directory and at least one page table as defined by the x86/process0T architecture. 

35. (Currently Amended) The method as recite/ in cldm 32 ^4-, wherein the combining 
comprises: 

combining the base address of the selec|i!^d memory page with an offset to produce a 
physical address within the selected memory iftige if the security attribute of the instruction and 
the security attributes of the selected memory page indicate the access is authorized, wherein the 
security attributes of the selected memory page comprise a user/supervisor (U/S) bit a read/write 
(R/W) bit as defined by the x86 proces/or architecture, and wherein U/S=0 indicates the selected 
memory page is an operating systen/memoiy page and cofresponds to a supervisor level of the 
operating system, and wherein U/S^l indicates the selected memory page is a user memory page 
and corresponds to a user level ^ff tlie operating system, and wherein R/W=0 indicates only read 
accesses are allowed to the sej^ted memory page, and wherein R/W=l indicates that both read 
and write accesses are allow/d to the selected memory page. 



36. (Cuirently Amei^ed) The method as recited in claim 32 34, wherein the generating 
comprises: 

generating a lault signal if the security attribute of the instruction and the security 
attributes of the sdfected memory page indicate the access is not authorized, wherein the fault 
signal is a general protection fault (GPF) signal as defined by the x86 processor architecture. 
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37. (Currently Amended) The method as recited in ^aira 32 wherein the accessing 
comprises: 

accessing at least one security attribute data jmcture located in the memory using the 
^ physical address of the selected memory page to o&tain an additional security attribute of the first 
memory page and an additional security attnt^e of the selected memory page, wherein the at 
least one security attribute data structure ozonprises a security attribute table directory and at least 
one security attribute table, and wherebf the additional security attribute of the first memory page 
comprises a security context identi;t(cation (SCID) value of the first memory page, and wherein 
the SCID value of the first m^ory page is an integer value greater than or equal to 0 and 
indicates a security context Ifevel of the first memory page^ and wherein the additional security 
attribute of the selected mfemory page comprises a security context identification (SCID) value of 
the selected memorv/page, and wherein the SCID value of the selected memory page is an 
integer value grej^ than or equal to 0 and indicates a security context level of the selected 
memory page. 
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